diff -r dd9f2dd02f85 -r 0e3460341023 server/test/unittest_security.py --- a/server/test/unittest_security.py Tue Aug 18 09:25:44 2009 +0200 +++ b/server/test/unittest_security.py Fri Aug 21 16:26:20 2009 +0200 @@ -265,7 +265,7 @@ self.commit() cnx = self.login('iaminusersgrouponly') cu = cnx.cursor() - aff2 = cu.execute("INSERT Affaire X: X sujet 'cool', X in_state S WHERE S name 'pitetre'")[0][0] + aff2 = cu.execute("INSERT Affaire X: X sujet 'cool'")[0][0] soc1 = cu.execute("INSERT Societe X: X nom 'chouette'")[0][0] cu.execute("SET A concerne S WHERE A eid %(a)s, S eid %(s)s", {'a': aff2, 's': soc1}, ('a', 's')) @@ -347,25 +347,26 @@ def test_attribute_security_rqlexpr(self): # Note.para attribute editable by managers or if the note is in "todo" state - eid = self.execute("INSERT Note X: X para 'bidule', X in_state S WHERE S name 'done'")[0][0] + note = self.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0) self.commit() - self.execute('SET X para "truc" WHERE X eid %(x)s', {'x': eid}, 'x') + note.fire_transition('markasdone') + self.execute('SET X para "truc" WHERE X eid %(x)s', {'x': note.eid}, 'x') self.commit() cnx = self.login('iaminusersgrouponly') cu = cnx.cursor() - cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': eid}, 'x') + cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note.eid}, 'x') self.assertRaises(Unauthorized, cnx.commit) - eid2 = cu.execute("INSERT Note X: X para 'bidule'")[0][0] + note2 = cu.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0) cnx.commit() - cu.execute("SET X in_state S WHERE X eid %(x)s, S name 'done'", {'x': eid2}, 'x') + note2.fire_transition('markasdone') cnx.commit() - self.assertEquals(len(cu.execute('Any X WHERE X in_state S, S name "todo", X eid %(x)s', {'x': eid2}, 'x')), + self.assertEquals(len(cu.execute('Any X WHERE X in_state S, S name "todo", X eid %(x)s', {'x': note2.eid}, 'x')), 0) - cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': eid2}, 'x') + cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid}, 'x') self.assertRaises(Unauthorized, cnx.commit) - cu.execute("SET X in_state S WHERE X eid %(x)s, S name 'todo'", {'x': eid2}, 'x') + note2.fire_transition('redoit') cnx.commit() - cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': eid2}, 'x') + cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid}, 'x') cnx.commit() def test_attribute_read_security(self): @@ -398,16 +399,14 @@ cu.execute('INSERT Affaire X: X ref "ARCT01", X concerne S WHERE S nom "ARCTIA"') cnx.commit() self.restore_connection() - self.execute('SET X in_state S WHERE X ref "ARCT01", S name "ben non"') + affaire = self.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0) + affaire.fire_transition('abort') self.commit() self.assertEquals(len(self.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01"')), - 2) + 1) self.assertEquals(len(self.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01",' 'X owned_by U, U login "admin"')), 1) # TrInfo at the above state change - self.assertEquals(len(self.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01",' - 'X owned_by U, U login "iaminusersgrouponly"')), - 1) # TrInfo created at creation time cnx = self.login('iaminusersgrouponly') cu = cnx.cursor() cu.execute('DELETE Affaire X WHERE X ref "ARCT01"') @@ -499,29 +498,34 @@ self.assertRaises(Unauthorized, self.schema['Affaire'].check_perm, session, 'update', eid) cu = cnx.cursor() - cu.execute('SET X in_state S WHERE X ref "ARCT01", S name "ben non"') - cnx.commit() - # though changing a user state (even logged user) is reserved to managers - rql = u"SET X in_state S WHERE X eid %(x)s, S name 'deactivated'" - # XXX wether it should raise Unauthorized or ValidationError is not clear - # the best would probably ValidationError if the transition doesn't exist - # from the current state but Unauthorized if it exists but user can't pass it - self.assertRaises(ValidationError, cu.execute, rql, {'x': cnx.user(self.session).eid}, 'x') + self.schema['Affaire'].set_groups('read', ('users',)) + try: + aff = cu.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0) + aff.fire_transition('abort') + cnx.commit() + # though changing a user state (even logged user) is reserved to managers + user = cnx.user(self.current_session()) + # XXX wether it should raise Unauthorized or ValidationError is not clear + # the best would probably ValidationError if the transition doesn't exist + # from the current state but Unauthorized if it exists but user can't pass it + self.assertRaises(ValidationError, user.fire_transition, 'deactivate') + finally: + self.schema['Affaire'].set_groups('read', ('managers',)) def test_trinfo_security(self): aff = self.execute('INSERT Affaire X: X ref "ARCT01"').get_entity(0, 0) self.commit() + aff.fire_transition('abort') + self.commit() # can change tr info comment self.execute('SET TI comment %(c)s WHERE TI wf_info_for X, X ref "ARCT01"', - {'c': u'creation'}) + {'c': u'bouh!'}) self.commit() aff.clear_related_cache('wf_info_for', 'object') - self.assertEquals(aff.latest_trinfo().comment, 'creation') + trinfo = aff.latest_trinfo() + self.assertEquals(trinfo.comment, 'bouh!') # but not from_state/to_state - self.execute('SET X in_state S WHERE X ref "ARCT01", S name "ben non"') - self.commit() aff.clear_related_cache('wf_info_for', role='object') - trinfo = aff.latest_trinfo() self.assertRaises(Unauthorized, self.execute, 'SET TI from_state S WHERE TI eid %(ti)s, S name "ben non"', {'ti': trinfo.eid}, 'ti')